[nginx] SSL: removed export ciphers support.

Sergey Kandaurov pluknet at nginx.com
Tue Aug 10 21:46:42 UTC 2021


details:   https://hg.nginx.org/nginx/rev/509b663a789c
branches:  
changeset: 7900:509b663a789c
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Aug 10 23:43:17 2021 +0300
description:
SSL: removed export ciphers support.

Export ciphers are forbidden to negotiate in TLS 1.1 and later protocol modes.
They are disabled since OpenSSL 1.0.2g by default unless explicitly configured
with "enable-weak-ssl-ciphers", and completely removed in OpenSSL 1.1.0.

diffstat:

 src/event/ngx_event_openssl.c |  31 -------------------------------
 src/event/ngx_event_openssl.h |   5 -----
 2 files changed, 0 insertions(+), 36 deletions(-)

diffs (70 lines):

diff -r 1a03af395f44 -r 509b663a789c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Aug 10 23:43:17 2021 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Aug 10 23:43:17 2021 +0300
@@ -863,11 +863,6 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_
         SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
-    /* a temporary 512-bit RSA key is required for export versions of MSIE */
-    SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
-#endif
-
     return NGX_OK;
 }
 
@@ -1120,32 +1115,6 @@ ngx_ssl_info_callback(const ngx_ssl_conn
 }
 
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
-
-RSA *
-ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
-    int key_length)
-{
-    static RSA  *key;
-
-    if (key_length != 512) {
-        return NULL;
-    }
-
-#ifndef OPENSSL_NO_DEPRECATED
-
-    if (key == NULL) {
-        key = RSA_generate_key(512, RSA_F4, NULL, NULL);
-    }
-
-#endif
-
-    return key;
-}
-
-#endif
-
-
 ngx_array_t *
 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
 {
diff -r 1a03af395f44 -r 509b663a789c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Tue Aug 10 23:43:17 2021 +0300
+++ b/src/event/ngx_event_openssl.h	Tue Aug 10 23:43:17 2021 +0300
@@ -29,7 +29,6 @@
 #include <openssl/ocsp.h>
 #endif
 #include <openssl/rand.h>
-#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -208,10 +207,6 @@ ngx_int_t ngx_ssl_ocsp_validate(ngx_conn
 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
 ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
-#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
-RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
-    int key_length);
-#endif
 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
     ngx_array_t *passwords);


More information about the nginx-devel mailing list